Malware Analysis Report

2024-11-16 13:39

Sample ID 240531-b5tg3sae8y
Target e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
SHA256 e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51

Threat Level: Known bad

The file e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Xworm

Detect Xworm Payload

Detects Windows executables referencing non-Windows User-Agents

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 01:44

Reported

2024-05-31 01:46

Platform

win7-20240508-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2688 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe

"C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe"

C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe

"C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
DE 104.250.180.178:7061 tcp

Files

memory/2400-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/2400-1-0x0000000000B80000-0x0000000000C02000-memory.dmp

memory/2400-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/2400-3-0x00000000004D0000-0x00000000004E8000-memory.dmp

memory/2400-4-0x0000000000390000-0x00000000003A0000-memory.dmp

memory/2400-5-0x0000000004360000-0x00000000043B6000-memory.dmp

memory/2688-6-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2688-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2688-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2688-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2688-12-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2688-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2688-20-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2688-18-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2688-21-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/2400-22-0x00000000746F0000-0x0000000074DDE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 33ac71d4ed9c4992ad83ab69551bb004
SHA1 29697ceb57293e7d236a16088fc4c00a39bff3d0
SHA256 5e1a467ec7c4cead8e10749b1d337def1b4ff203d38b34845e36768b724c0477
SHA512 8ab8eb0c61ce4e4174fde500862635c223b529cd814e7f687e4357698b5f998a1b584ac3455b28050bd02aad9b14ae64853dab17f684b29a9d5b3144940ff18e

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\XClient.exe

MD5 0f2eaea796ec4d932ac2d94c61f6b60d
SHA1 bd5f3e5043afebcc1c08e763ab8afc0183f5b7f7
SHA256 e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51
SHA512 addee2ef8b337d2241da0a4fd02e378365e5bb998b1e7603821a91723cc0a4d7c3dee99ba2f016df227d2a5c84ef1939aa4a72dbfc595b788195cdc2025bf69c

memory/2688-47-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/2688-48-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/2688-49-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 01:44

Reported

2024-05-31 01:46

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2728 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2728 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 2728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe
PID 1616 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe

"C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe"

C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe

"C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe"

C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe

"C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 104.250.180.178:7061 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 178.180.250.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2728-0-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

memory/2728-1-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/2728-2-0x00000000058B0000-0x0000000005E54000-memory.dmp

memory/2728-3-0x00000000051C0000-0x0000000005252000-memory.dmp

memory/2728-4-0x0000000005260000-0x000000000526A000-memory.dmp

memory/2728-6-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/2728-5-0x00000000054C0000-0x000000000555C000-memory.dmp

memory/2728-7-0x0000000005890000-0x00000000058A8000-memory.dmp

memory/2728-8-0x0000000005600000-0x0000000005610000-memory.dmp

memory/2728-9-0x0000000006780000-0x00000000067D6000-memory.dmp

memory/1616-10-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e879f3a1cc7733303f6edebd710066dd418d78dbbc1a1393b50d4fc3d1d74b51.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1616-13-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/2728-14-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/2000-16-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/2000-15-0x0000000002DE0000-0x0000000002E16000-memory.dmp

memory/2000-17-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/2000-18-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/2000-19-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/2000-20-0x00000000057B0000-0x00000000057D2000-memory.dmp

memory/2000-21-0x0000000005F00000-0x0000000005F66000-memory.dmp

memory/2000-22-0x0000000005F70000-0x0000000005FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_khwvehps.pjh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2000-28-0x00000000060E0000-0x0000000006434000-memory.dmp

memory/2000-33-0x00000000066E0000-0x00000000066FE000-memory.dmp

memory/2000-34-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/2000-35-0x0000000006CD0000-0x0000000006D02000-memory.dmp

memory/2000-47-0x00000000078C0000-0x0000000007963000-memory.dmp

memory/2000-46-0x0000000006C70000-0x0000000006C8E000-memory.dmp

memory/2000-36-0x0000000071180000-0x00000000711CC000-memory.dmp

memory/2000-49-0x0000000007A00000-0x0000000007A1A000-memory.dmp

memory/2000-48-0x0000000008050000-0x00000000086CA000-memory.dmp

memory/2000-50-0x0000000007A70000-0x0000000007A7A000-memory.dmp

memory/2000-51-0x0000000007C80000-0x0000000007D16000-memory.dmp

memory/2000-52-0x0000000007C00000-0x0000000007C11000-memory.dmp

memory/2000-53-0x0000000007C30000-0x0000000007C3E000-memory.dmp

memory/2000-54-0x0000000007C40000-0x0000000007C54000-memory.dmp

memory/2000-55-0x0000000007D40000-0x0000000007D5A000-memory.dmp

memory/2000-56-0x0000000007D20000-0x0000000007D28000-memory.dmp

memory/2000-59-0x0000000074F10000-0x00000000756C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8dc6cf123e290e505eac3107c4a9b3e9
SHA1 bec38f764e3260469894afc8b5c7a6679c59455e
SHA256 940dfab6b15b279eeef2c729c7fef6ccf39e0407a50971426ea4ae7bb58dcbc2
SHA512 c2053918b79d953a88235e50a49b17b8c43dad4a52a92523a9365006db94398d74724b442428e3b05b0b7af7e9e5340c23c73e28e96654341e9c4dfec50b2d74

memory/3416-71-0x0000000071180000-0x00000000711CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a7f576d67137e1ffb2c7ef5d3e7dfb74
SHA1 34c9a92fc7273813934b5d8a84847564f3d61f26
SHA256 dec57f9c288c8e86104ab18df4b1dc3d573ffaaffad49579025b656b8823face
SHA512 bedea892454cb8ee7b3d43c55f96bc142ad5b9cf788bbbdef3a5d6e1ac2766efb95d3c756de86772d03a94077e2e5e8b3c11b200977bcb676b3fa51be7588311

memory/3044-92-0x0000000071180000-0x00000000711CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fd4b1530a1446024ef5299ef6f00025e
SHA1 bc3b8ca870d3a3536422f92b50221da66c9f8531
SHA256 ef988f28b935a54e7a5a477fecaf06e3ec645722477ea0cfc752a72026a02481
SHA512 035be0684a81b578a45ea6dab376dfe25bcd28f4330a7b4671c9cffbc5fda29764382533ff769a5a809b746e98eb01cf1a554702a1c0afb079718b15b5ccb064

memory/2464-113-0x0000000071180000-0x00000000711CC000-memory.dmp

memory/1616-128-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/1616-129-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/1616-130-0x0000000074F10000-0x00000000756C0000-memory.dmp